1. Field of the Invention
The present invention relates to a technique for a data exchange communications network, and more particularly, to a technique for protecting a device, which is connected to a communications network, from an illegal access.
2. Description of the Related Art
An IPS (Intrusion Prevention System) is initially described.
A firewall exists as a representative device for protecting an IT system used by an organization. The firewall is installed in a point at which a communications network external to an organization (external network) and a communications network within the organization (internal network) are connected, and intended to protect the internal network from an illegal access by restricting a service (port) to permit a connection made from the external network. However, if a malicious code is buried in an access to the service to permit a connection, the firewall cannot detect this code. The IPS is a device having a function to protect the internal network by detecting such a malicious code.
The IPS targets all packets that flow on a communications network, detects and destroys an attack packet by analyzing data within the protocol header or the datagram of each packet, and notifies an administrator terminal that the attack is made. This data analysis is implemented with an examination, which is made to the header or the datagram of a packet by applying a pattern file distributed for each attack pattern. This pattern file is updated day by day in order to cope with the latest attack, and the latest search pattern is provided, for example, by using the Internet. Here, if an attack packet is detected, the IPS transmits an RST (Reset) packet of the TCP (Transfer Control Protocol) to an attack source (the source of the attack packet), which is made to forcibly disconnect a TCP connection. The protection of an internal network is made in this way.
Among IPSes, an IPS that particularly targets an attack to a Web application is referred to as WAF (Web Application Firewall). In this application, however, the WAF and a normal IPS are collectively referred to as an IPS without making a distinction between them.
An SLB (Server Load Balancer) is described next.
The SLB is a device for managing, in a centralized manner, connection requests from client terminals in an external network to a server provided in an internal network, and for transferring the requests to a plurality of servers, each of which has an equal function, in the internal network. For example, if accesses from users are too much in comparison with the processing capability of one Web server, the Web server becomes overloaded, and a response speed to a user becomes slow. The SLB distributively transmits the requests from users to the largest possible number of servers, whereby each server can be made to maintain an appropriate response speed. The SLB also has a function not to distribute a connection request to a server that is down. Accordingly, the SLB is used, thereby improving the fault-tolerance of a Web server.
FIG. 1 is described. A configuration of a communications network exemplified in this figure shows a configuration where a load distribution is made to 4 servers 301a, 301b, 301c, and 301d in an internal network 200. An SLB 201 is provided in this configuration, which leads to not only a 4-fold increase in performance but also an improvement in fault-tolerance, compared with the case where one server is operated.
Operations of the SLB 201 shown in FIG. 1 are described below.
Assume that a client terminal 101a among client terminals 101a, 101b, . . . , which exist in an external network 100, issues a request to http://www.a.com in FIG. 1. Also assume that the IP address of the client terminal 101a is 172.16.10.55.
A DNS (Domain Name Server) not shown initially makes name resolution to the request issued from the client terminal 101a. Here, assume that the IP address of the domain name www.a.com is proved to be 10.10.1.100 by the DNS. The client terminal 101a that has received this IP address issues a connection request to the server to which this IP address is assigned (here, a virtual server 300 in the internal network 200).
In the internal network 200, the virtual server 300 is configured with the SLB 201, and the servers 301a, 301b, 301c, 301d. Assume that IP addresses 192.168.20.1, 192.168.20.2, 192.168.20.3, and 192.168.20.4 are respectively assigned to the servers 301a, 301b, 301c, and 301d. 
The connection request issued from the client terminal 101a is initially received by the SLB 201. Then, the SLB 201 selects a server, which is currently running, from among the 4 servers 301a, 301b, 301c, and 301d provided within the internal network 200 according to a predetermined load distribution algorithm such as a Round-robin, etc. Then, the SLB 201 distributes the connection request from the client terminal 101a to the selected server (referred to as a real server). At this time, the SLB 201 rewrites a destination IP address in the connection request issued from the client terminal 101a to the IP address of the real server. Accordingly, the client terminal 101a looks as if it communicates with the virtual server 300, without being conscious of the real server.
In the meantime, in a communication from the real server to the client terminal 101a, the SLB 201 performs procedures reverse to the above described ones to rewrite a source IP address in a response, which is issued by the real server to the connection request, from the IP address of the real server (this IP address is referred to as an “RIP (Real IP address)”) to the IP address of the virtual server 300 (this IP address is referred to as “VIP (Virtual IP address)”).
As described above, the SLB 201 provides the functions as one type of an address translating device.
Considered next is the protection of the internal network 200 from an illegal access made from the external network 100 by installing the above described IPS in the communications network the configuration of which is shown in FIG. 1. To implement this, an IPS 202 is normally installed at a boundary between the external network 100 and the internal network 200, namely, between the external network 100 and the SLB 201. Also a firewall is sometimes installed between the external network 100 and the IPS 202 in order to protect the internal network 200, although this is not shown in FIG. 2.
In FIG. 2, also an administrator terminal 203 is depicted along with the IPS 202. Upon detection of an attack packet, the IPS 202 notifies the administrator terminal 203 that the attack packet is detected, and notifies an administrator 204 of the internal network 200. In the configuration example shown in FIG. 2, two servers 301a and 301b are installed in the internal network 200.
As the technique for protecting an internal network from an attack made from an external network in this way, Japanese Published Unexamined Patent Application No. 2005-293550 discloses a technique for examining a data packet that passes through a firewall, and for installing a policy for protecting an internal network from a data packet to set information helpful to the analysis of the data packet if the data packet that represents an attack is detected in the examination.
Incidentally, the number of cases where an attack is made from a server in an internal network to a client terminal in an external network, such as a case where a malicious operator of an internal network embeds an attack code in a server, has been also increasing in recent years. Such a case is described with reference to FIG. 3.
The configuration of a communications network exemplified in FIG. 3 is the same as that shown in FIG. 2. Assume that a malicious operator embeds a code for attacking the client terminal 101a in either of the servers 301a and 301b in this configuration. At this time, a communication packet issued from the server 301a or 301b indicates either of IP addresses RIP1 (when the packet is issued from the server 301a) and RIP2 (when the packet is issued from the server 301b) as a source IP address.
However, in the configuration shown in FIG. 3, the SLB 201 is provided in the internal network 200. The SLB 201 executes an address translation process for rewriting the source IP address indicated in the packet to the IP address assigned to the virtual server 300, namely, VIP, even if the packet is issued from either the server 301a or 301b. Accordingly, if the IPS 202 detects a code for attacking the client terminal 101a from the communication packet transmitted from the SLB 201 ((1) in FIG. 3), and notifies the administrator terminal 203 of the source IP address indicated in the communication packet ((2) in FIG. 3), the notified source IP address is the VIP. Therefore, only with this notification, the administrator 204 cannot identify whether the code for attacking the client terminal 101a is embedded either in the server 301a or in 301b ((3) in FIG. 3). Additionally, since the attack source cannot be identified, also the client terminal 101a cannot be protected by transmitting the above described RST packet to the attack source, and by forcibly disconnecting a TCP connection.
Conventionally, to cope with such an attack from an internal network to an external network, an IPS 302 is installed also between the SLB 201 and the servers 301a and 301b separately from the IPS 202 as in the configuration of a communications network shown in FIG. 4. Namely, the IPS 202 detects and protects an attack made from the client terminal 101a, 101b, . . . in the external network 100 and notifies the administrator terminal 203, whereas the IPS 302 detects and protects an attack made from either of the servers 301a and 301b in the internal network 200 and notifies the administrator terminal 203. As a result, the source of the attack made from the internal network 200 to the external network 100 can be identified.
However, the two IPSes 202 and 302 are separately installed in this conventional configuration, leading to an increase in the system cost.